On Unix/Linux users with a
uid=0 are root. This means any security checks are bypassed for them.
An adversary might go ahead and create a new account, or set an existing account’s user identifier (
uid) or group identifier to zero.
A simple way to do this is to update
/etc/passwd of an account, or use
usermod -u 0 -o mallory.
Let’s create a new user named
wuzzi@saturn:/$ sudo adduser mallory [...] wuzzi@saturn:/$ cat /etc/passwd | grep mallory mallory:x:1001:1001::/home/mallory:/bin/sh
Observe that the user has the uid
Next, set the uid to 0 using
wuzzi@saturn:/$ sudo usermod -u 0 -o mallory wuzzi@saturn:/$ cat /etc/passwd | grep mallory mallory:x:0:1001::/home/mallory:/bin/sh
Finally, use the account and observe what happens:
wuzzi@saturn:/$ su mallory Password: [....] root@saturn:/# whoami root root@saturn:/# :)
Detection and Threat Hunting
Depending on your central log collection tools, all you need to do is look for
:0: in the
/etc/passwd file for either user or group ids. On the command line on a host this can be done with something like:
$ cat /etc/passwd | grep ":0:"
The result of this command will look similar to:
Its unlikely, but if you encounter a BSD system you might actually see two user’s with uid 0. One is name
root and the other one
toor. So on non-BSD systems a nifty attacker might attempt to trick Unix administrators and hide an additional backdoor user with the name
In case you find backdoor users in your environment - I’d be curious to know.
Be aware that
uid=0 are root users. It’s hardcoded.
One would expect the system to break, but things seem to continue working fine. I always assumed that the configuration is not really supported, but malware and malicious users rarely care about supported configurations.